Picoctf Web Exploitation CTF Challenges

Kerolos Ayman
4 min readJun 6, 2024

Hello! I’m Kerolos Ayman, Junior Penetration Tester and CTF player.

Today, I will talk about 2 nice challenges that show the importance of viewing the source code of the web application.

First Challenge: Insp3ct0r

Challenge

It says that the following code may need inspection.
Code inspection in software engineering is the process of reviewing the code in an application to check for defects.

So let’s open the challenge and see

There are two options in front of us:
1. What
2. How

When I opened What he said I made a website

So, What about opening How ?

When I opened How he said I used these to make this site: HTML, CSS, JS (JavaScript).

So, Let’s view the page source of this web page

Page Source

Oh! I found the first part of the flag but, there are two missed parts.

He said that he made the website with HTML, CSS, JS and I found the first part of the flag in the HTML so what about searching about the flag in CSS and JS ?

In line 6 there is mycss.cs, let’s open it

mycss.css part 1
mycss.css part 2

Oh! I found the second part of the flag in the CSS code.

Let’s see the line number 7 in page source that contains myjs.js and open myjs.js

myjs.js

Oh! I found the third part of the flag and got the whole flag.

Nice challenge!

Second Challenge: Scavenger Hunt
This challenge is the same idea of the first challenge but there are more ideas.

Challenge

This is the challenge that tells you there is some interesting information hidden around this site.
Let’s open the challenge and see.

Same web page of the first challenge.

Let’s see the page source

We found the first part of the flag.

Let’s see mycss.css in line 6 and myjs.js in line 7.

mycss.css

I found the second part of the flag in mycss.css

myjs.js

When I opened myjs.js, there is a comment says How can I keep Google from indexing my website?

Website indexation is the process by which a search engine adds web content to its index. This is done by “crawling” webpages for keywords, metadata, and related signals that tell search engines if and where to rank content.

After some searching I found that:

So let’s see robots.txt file in the web page.
URL:port/robots.txt

I found the third part of the flag and another comment which is I think this is an apache server… can you Access the next flag?

After some searching I found files called htaccess.
htaccess files allow users to configure directories of the web server they control without modifying the main configuration file.

So let’s open it
URL:port/.htaccess

I found the fourth part of the flag and another comment says I love making websites on my Mac, I can Store a lot of information there.

After a lot of time searching about that, I found file called Ds_Store
In the macOS operating system, .DS_Store is a file that stores custom attributes of its containing folder, such as folder view options, icon positions, and other visual information. The name is an abbreviation of Desktop Services Store, reflecting its purpose.

So let’s open it
URL:port/.Ds_Store

I got the fifth and last part of the flag.

Great challenge that made me know new information.

Tip: See the page source of the web page, you may find juicy things.

If you reach to here so, thanks so much for reading.

My Linkedin account: https://www.linkedin.com/in/kerolos-ayman-19a569255

My channels on Telegram:
https://t.me/CyberSecurityforall24

https://t.me/cybersecurityforall77

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Kerolos Ayman
Kerolos Ayman

Written by Kerolos Ayman

Bug Hunter || Junior Penetration Tester || CTF Player

No responses yet

Write a response